Backup events from IDS 4215

Unanswered Question
Aug 17th, 2008

Is it possible to copy the IPS event log files to a server from a Cisco IPS 4215 device?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
rhermes Mon, 08/18/2008 - 08:13

Assuming you want to be able to look thru the events and find somthing of intrest at a later date: if you have 5 or less sensors, try using the free Cisco Manager Express

http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ime

If you have more than 5 sensors, you're looking for a SIM like Cisco's CS-MARS, Netforesenics, Intelitactics, etc...

whhtnetwork Tue, 01/26/2010 - 09:00

Hi Guys I would Really appreciate If someone can help me in finding out

How I can backup my previous Logs from IME

bnidacoc Wed, 01/27/2010 - 11:58

You might find that IME>File>Export would work well for you.  Unlike IME's embeded Event Monitoring tool's limitation of the last 999 hours, the export can export data going well beyond that.  I'm not sure if Cisco has a limit to IME's data retention, or will insitiute a limit in IME.  My export takes me back to what I believe is the date I installed the software, June 2008.  (unix dates, BTW).

The version of IME I use is 6.2.1.  Hopefully the same capability remains in future versions of IME.

whhtnetwork Thu, 01/28/2010 - 02:24

thanks for the Reply ,

If i will export data from IME for December , after export would it delete from database ?

As i have exported data for December Period , But I DB size is same , and When i serach Any event from DEcember time frame , I can see events , I am actually wondering , IF after export data dont get exported then eventually My Db size is huge ?

bnidacoc Thu, 01/28/2010 - 08:36

I have performed the export multiple times and I still see 2008 data in it.  So, it may not be removing anything.

If there is a size/date limit to IME's locally retained data, I do not know what it would be.  Maybe someone from Cisco can address this authoritatively.

whhtnetwork Fri, 01/29/2010 - 03:11

Thanks ,

Let me discuss with one of My Supplier , Because as far as i have serached I have not fine any published document from Cisco about IME in detail

whhtnetwork Mon, 02/01/2010 - 07:33

thanks for replying

Have you ever experienced , that if you close IME application it dont collect logs for that specific time interval and then When you run the appliaction , it cannot get thopse alarams from IPS ,

I hope you understand what I mean ...

MY ime stop responsing on Friday night and when on Monday Morning I try to pull report from IME , It cannot reterive Data .... What I belive It should be able to reterive it as that Data Should be stored on IPS buffers ... ??? when i try to check events from lat 72 Hurs i can see very less events from Sat and sunday date , howveer they are very low triggered alarms as compared to proviouse weekend days

what you suggest

Farrukh Haroon Wed, 02/03/2010 - 04:12

The events processing is done by the service at the end. If the IME console is closed, the service should keep running (under normal operation).

There is a bug in IME that causes it to shutdown its service everytime you logoff from your machine, maybe this is the bug you are hitting.

Exporting the events should not delete them from the database.

Also the new IME supports upto 10 IPS devices, not just 5.

Please rate if helpful.


Regards

Farrukh

whhtnetwork Wed, 02/03/2010 - 06:35

Thanks Haroon, It was  helpful ,

So is there any way to decrease the size of Database (because I see Lot of files in the Data Folder , but i am unable to findout how they increment , Because there is not specific pattern like if one file come to that specific size , or it increment after 1 week),

Secondly , Is there any workaround to sort this stop services ... bug , When ever i close IME it dosent record data for that specific time interval.

Regards

Farrukh Haroon Fri, 02/05/2010 - 23:43

I'm sorry but I don't think Cisco publically release any internal of the database. It would be better if you open a case for this or have someone from Cisco comment at this.

I would expect the service down issue to be solved in a future release, because it is a major pain.

Regards


Farrukh

whhtnetwork Mon, 02/08/2010 - 03:33

Thanks

Well I tried Copying SQL data folder and it worked with NEW installation .... I can Extract the Information in those dates

Actions

This Discussion